MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8c1b12be1067ff4a545a6f94c820cad44ec7c13250003f76c4e601d61be5c56a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 4

Intelligence 4 IOCs YARA File information Comments

SHA256 hash:	8c1b12be1067ff4a545a6f94c820cad44ec7c13250003f76c4e601d61be5c56a
SHA3-384 hash:	8b3bb591c0ecc21c03cc45e8684fc588c941aa50c80ed614693bbb375845dceb5410a7e8fdaf81a2d45718efcbafbafa
SHA1 hash:	d99fef9e9f7f1615ce95d35a53e10156a5722fd5
MD5 hash:	210f433a5bd1dce3270da1491e35e45b
humanhash:	wolfram-alaska-india-one
File name:	vaccine release for Corona-virus(COVID-19)_pdf.exe
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	102'400 bytes
First seen:	2020-04-02 15:46:19 UTC
Last seen:	2020-04-02 16:50:17 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f0c187de23cd703cf896582b413b1aa6 (1 x GuLoader)
ssdeep	768:1dGOe5YdtUBnqjGI9PQwmg/KYb5tY1tmAac4co/E2C1CHc8:1MOdtUBqjGkQlgCb1MAa3/eU
Threatray	397 similar samples on MalwareBazaar
TLSH	72A3B312FA90FE90C0015EB08D7ADAEC4226BC309D556E477AE43F6F3A71285B591B4B
Reporter	abuse_ch
Tags:	COVID-19 exe GuLoader

abuse_ch

COVID-19 themed malspam distributing GuLoader:

HELO: ns392991.ip-176-31-110.eu
Sending IP: 176.31.110.7
From: Dr. Kim Jung <info@hardworkingincs.pro>
Subject: Latest vaccine release for Corona-virus(COVID-19)
Attachment: vaccine release for Corona-virusCOVID-19_pdf.rar (contains "vaccine release for Corona-virus(COVID-19)_pdf.exe")

GuLoader payload URL:
https://drive.google.com/uc?export=download&id=1bFy5HnzXjqp_6iwYqe0llnfhnqmeXAiR

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Win.Dropper.Genkryptik-7666399-0

Gathering data

Threat name:

Win32.Trojan.Vebzenpak

Status:

Malicious

First seen:

2020-04-02 14:55:00 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

25 of 31 (80.65%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=rqnrfpqqm77uuvc2n6kmqigk2rhmpqjskaad65we4ya5mg7fyvva._file

Verdict:

malicious

Label(s):

guloader

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

rar 3ffcfce8f63363be09d081e5ae11670e7cf89e73bad9df96c4690e6945e5bfba

GuLoader

exe 8c1b12be1067ff4a545a6f94c820cad44ec7c13250003f76c4e601d61be5c56a

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/334045/

Dropped by

MD5 87baa11625e558dce94fe4c7bd987ac5

Dropped by

SHA256 3ffcfce8f63363be09d081e5ae11670e7cf89e73bad9df96c4690e6945e5bfba

Delivery method

Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
VB_API	Legacy Visual Basic API used	MSVBVM60.DLL::__vbaObjSetAddref MSVBVM60.DLL::EVENT_SINK_AddRef MSVBVM60.DLL::__vbaFileOpen

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample